Organization feature and 1 url per organization

simon_qollabi · April 14, 2021, 10:19am

Hi Everyone,

I’m trying to implement Auth0 on my B2B SaaS product. Each of our customers (company) own its own url (ie: customera.myproduct.app, customerb.myproduct.app, …). Each customers has multiple users (a same email can exist under different customer environment).

I discovered your Organization feature and it works quite well for our needs. But i’m facing an issue regarding the redirection (a) and i have some feature questions/request (b).

(a) After a successful login, i would like to redirect the user to the right environment url. My <Auth0Provider /> is initiated with redirectUri={window.location.origin}, which can be login.myproduct.app for instance. I would like then to redirect my user to customera.qollabi.app.

Is there a way to define a redirection URL per organization ? I tried by using organization metadata and a rule, but it doesn’t work.

context.redirect = {
    url: context.organization.metadata.myorganizationurl
};

I’m properly redirected to the metadata url, but this one only contains the state and not the authorization code… Any clue ?

(b)
B.1 would be nice to be able to solve organization url more easily than via rules/metadata etc.

B.2 would be nice to be able to define more security policies per organization. For now i can define password policy, but i would like for example to be able to define MFA as required for all users within a specific organization

B.3 documentation seems wrong at this page: Application Settings. I cannot use {org_name} as token in my callback urls (i always receive an error)… i need to use {organization_name} to avoid error message. Can you confirm that i’m right using {organization_name} instead of {org_name}

B.4 in my <Auth0Provider> (react component (auth0-react package)), i can pass an organization_id. Would be way easier to provider the organization name instead (as this is defined by us, not by a random value like the auth0 organization_id). Now, i need to make a mapping on my side to map my url to a auth0 organization_id… beurk

B.5 i tried the invitation feature of the organization section. I invite a user and i specify a auth0 database as connection (user doesn’t exist yet in that connection). Email is sent, but the user connect accept the invitation as he/she doesn’t have a user account on that connection yet. I could already create the user account before the invitation, but that would mean that the user would receive a verification email before the invitation email… beurk … I think this is not really an issue with Entreprise connection (like SSO) as user account are already created on that end.

adam.housman · April 22, 2021, 7:01pm

Hi @simon_qollabi,

organization_name is the correct URL placeholder. If you represent tenants in your application as the same string as the organization name, you can send that as a redirect URI and it will validate.

As an example, if you had an organization with organization name acme, and the allowed callback URL had https://{organization_name}.myapp.com/callback you could send a user with the redirect_uri: https://acme.myapp.com/callback and it would work.

Example authorize URL that the user would be redirected to:
https://[tenant-name].[region].auth0.com/authorize?client_id=[client-id]&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Facme.myapp.com%2Fcallback&organization=org_O6uxTfoyxaOylFIR&nonce=[nonce]&state=[state]

Re: B2 this is on our roadmap, though I suspect you could do this with a rule currently.

Re: B3 - updating that, thanks for catching!

Re: B4 - I hear you. We are actively considering this but I can’t confirm if we’ll allow this or not in the future currently.

Re: B5 - can you share the specific error you are getting? Does the auth0 database connection perhaps have signups disabled?

konrad.sopala · April 23, 2021, 9:28am

Thanks for following up on that @adam.housman !